+1 - Only open what is required for business.
–
skamradtJul 28 '09 at 16:52

I hear what you're saying, but "needed for business" almost always turns out to include HTTPS, and once you've opened one port for encrypted - and therefore uninspectable - traffic, you've effectively opened everything. As has been said elsewhere, there are proxies which, combined with a local CA root installed on all browsers in the enterprise, can decrypt, inspect, and re-sign HTTPS traffic at the perimeter, but these are uncommon and expensive - and people using them probably don't need to ask the OP's question.
–
MadHatterAug 19 '11 at 7:47

Your default firewall rule should be to deny all traffic in any direction

Other rules should be added on a pre requirement basis. For example, your DNS server(s) should be allowed to perform DNS lookups on the internet from the private network, but possibly no other machine should be allowed. Your HTTP proxy server should be allowed out on ports 80 and 443, no other devices should have this access unless absolutely required

I have to disagree with Wil, any well configured firewall should take in to account traffic in both directions. If it doesn't, the value of a firewall is somewhat lost as traffic does indeed flow in and out

I would suggest you review your infrastructure, and figure out what requires access in what direction. And, check your logs frequently for any traffic that's being denied, and act upon it if required

Block all incoming and outgoing traffic to ports 6800-7000 to block most default setups for bittorrent clients.

The problem with this is that users can adjust the ports on the client to use other ports.

As another stated, just having inbound traffic on port 80 is enough for many bittorrent clients to work, just very slowly.

The only true way to block it is if there is some marker in the packet from/to the bittorrent client that an intelligent router/firewall could read and then block. I am not aware of any markers like this, though. And most routers/firewalls would only read certain parts of the header, not the whole packet, which would be needed. It could add a significant delay to all network traffic at a large site.

You can also use a DNS system such as OpenDns and set security up so that the known torrent tracking domains are blocked. I believe there is already a very large database of them. You can also have this system setup to not allow access to gaming sites, social networking sites, ect. It all depends on your business and if your network users should be allowed access to facebook or not.

Make it a KNOWN policy that it will not be tolerated, and appropriate action will be taken.

Perform random security audits of desktops to make sure that the security settings put in place are still in place.